CVE-2022-25480 in RtsPer Driver for PCIe Card Readerinfo

Summary

by MITRE • 07/02/2024

Vulnerability in Realtek RtsPer driver for PCIe Card Reader (RtsPer.sys) before 10.0.22000.21355 and Realtek RtsUer driver for USB Card Reader (RtsUer.sys) before 10.0.22000.31274 allows writing to kernel memory beyond the SystemBuffer of the IRP.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/06/2026

This vulnerability affects Realtek's PCIe and USB card reader drivers, specifically the RtsPer.sys and RtsUer.sys components that handle storage device operations. The flaw exists in the driver's handling of input/output requests where insufficient bounds checking allows for arbitrary memory writes beyond the allocated SystemBuffer. This represents a critical kernel-mode memory corruption vulnerability that can be exploited to gain elevated privileges on affected systems. The vulnerability stems from improper validation of buffer sizes during IRP (I/O Request Packet) processing, where the drivers fail to properly verify that data written to kernel memory remains within allocated boundaries.

The technical implementation of this vulnerability involves the driver's failure to validate input parameters during IOCTL (Input/Output Control) operations that process card reader data. When maliciously crafted input data is processed through these drivers, the buffer overflow occurs at the kernel level, allowing attackers to write data beyond the intended memory boundaries. This type of vulnerability is classified as a buffer overflow according to CWE-121, which specifically addresses stack-based buffer overflow conditions. The flaw is particularly dangerous because it operates at kernel level where all system privileges are available, making it a prime target for privilege escalation attacks.

The operational impact of CVE-2022-25480 extends beyond simple memory corruption to potentially enable full system compromise. Attackers can leverage this vulnerability to execute arbitrary code with kernel-level privileges, bypassing standard security controls and potentially establishing persistent backdoors. The vulnerability affects Windows operating systems where these Realtek drivers are installed, with the specific versions mentioned indicating the scope of affected releases. This vulnerability can be exploited through various attack vectors including malicious USB devices or specially crafted storage operations that trigger the vulnerable driver code paths.

Mitigation strategies should focus on immediate driver updates to versions that contain the patched implementations, which address the buffer overflow conditions through proper input validation and bounds checking. System administrators should also implement additional security controls such as driver signature enforcement, kernel-mode code integrity checking, and monitoring for suspicious driver behavior. The vulnerability aligns with ATT&CK technique T1068 which covers 'Exploitation for Privilege Escalation' and T1547.001 which covers 'Registry Run Keys / Startup Folder' as attackers may attempt to establish persistence through kernel-level modifications. Organizations should also consider implementing endpoint detection and response solutions that can identify unusual memory access patterns or kernel-level modifications that may indicate exploitation attempts.

Reservation

02/21/2022

Disclosure

07/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00189

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!